[Samba] Migrating samba domain to new computer.

John McMonagle johnm at advocap.org
Tue Sep 7 13:43:11 MDT 2010 

Got it fixed the problem was with ldap.

Have 7 production ldap servers with a lot of data for many services.  
slapd.conf is about 400 lines. Actually it's a bunch of include files.

My mistake was to use my customized slapd from our kolab server.
Much to my suprise it wasn't that acls that got me but some of the extra 
server stuff to make kolab work.

John

On Monday 30 August 2010 02:57:26 pm John McMonagle wrote:
> Thanks Gaiseric
>
> Making progress but still messed up  :-(
>
> Turned up error messages in samba and getting some error message such as:
> _samr_SetUserInfo2: root does possess sufficient rights
>
> Odd as the I'm not using root.
> My administrator account is administrator not root.
>
> Set up over 4 years ago and the populate script created account like this:
> dn: uid=administrator,ou=People,dc=advocap,dc=org
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> cn: administrator
> uid: administrator
> gidNumber: 512
> homeDirectory: /root
> givenName: Windows
> sn: Administrator
> gecos: Windows Administrator
> description: Windows Administrator
> shadowMin: 1
> shadowWarning: 10
> shadowInactive: 10
> shadowLastChange: 12726
> displayName: Windows Administrator
> sambaHomeDrive: U:
> sambaDomainName: ADVOCAP
> creatorsName: cn=Manager,dc=advocap,dc=org
> createTimestamp: 20041104200736Z
> loginShell: /bin/bash
> sambaLMPassword: xx
> sambaPwdLastSet: 1102083012
> sambaNTPassword: xx
> userPassword:: xx
> shadowMax: 99999
> shadowExpire: 22278
> sambaPwdCanChange: 1072850418
> sambaPwdMustChange: 1922119808
> sambaAcctFlags: [UX         ]
> uidNumber: 0
> structuralObjectClass: inetOrgPerson
> entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91
> sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
> sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998
> entryCSN: 20100827183656.000000Z#000000#000#000000
>
> I just ran smbldap-populate and it created:
> dn: uid=root,ou=People,dc=advocap,dc=org
> cn: root
> sn: root
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSAMAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> gidNumber: 0
> uid: root
> uidNumber: 0
> homeDirectory: /home/root
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomeDrive: U:
> sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512
> sambaLMPassword: XXX
> sambaNTPassword: XXX
> sambaAcctFlags: [U          ]
> sambaSID: S-1-5-21-3708734655-3086812103-629500990-500
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
>
> I have read some comments from people saying to have the administrator
> account to be named root.   Has smldap-tools or samba been changed to
> require the administrator to have uid of root?
>
> On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote:
> > The localsid on a DC should be the domain sid.    You should be able to
> > fix this with "net setlocalsid" command.
> >
> > Generally in Windows you want to assign permissions and rights  to a
> > group rather than directly to a user.    As long as your Administrator
> > account is in the "Domain Admins" group and that group has a sid of
> > "*****-512" you should be OK.    I don't think Samba automatically adds
> > any rights or permissions to the Administrator user.  I had explicitly
> > added some rights to my Administrator account after upgrading to Samba
> > 3.4.8  when trying to fix some other issue-  it may not have been
> > necessary though.
> >
> >
> > # net rpc rights list Administrator -S myserver  -U Administrator
> > Enter Administrator's password:
> > SeMachineAccountPrivilege
> > SeAddUsersPrivilege
> >
> >
> > I am pretty sure if you run gpedit on a windows machine and look at
> > rights you will see that the rights are assigned to the Administrator
> > group not the domain administrator.
> >
> > On 08/27/2010 02:56 PM, John McMonagle wrote:
> > > How about some more specific  problems.
> > >
> > > noticed that there is no localsid.
> > > net getlocalsid
> > > [2010/08/27 13:48:15,  0] utils/net.c:net_getlocalsid(708)
> > >    Can't fetch domain SID for name: OSHKOSH
> > >
> > > I have seen mention that the localsid should be the same as the
> > > domainsid when using ldap.
> > > Is that true?
> > >
> > > Seen comments that the user sid for the administrator must end with
> > > -500. Is that true?
> > > Mine is not. it will be painfull to change but I can deal with it.
> > >
> > > Thanks
> > >
> > > John
> > >
> > > On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote:
> > >> Should have read this first:
> > >> http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
> > >>
> > >> Problem is I did it the wrong way on a few production systems.
> > >> Odds are this is the second time I did it wrong.
> > >>
> > >> Running Debian Lenny using smbldap.
> > >> It mostly works.
> > >> Existing members of the domain are working OK.
> > >> The first thing that got my attention is was not able to join a new xp
> > >> workstation to the domain.
> > >>
> > >> Also noticed that the server is not a member of the domain.
> > >> net rpc testjoin
> > >> [2010/08/26 14:20:26,  0]
> > >> rpc_client/cli_pipe.c:get_schannel_session_key_common(2449)
> > >>    get_schannel_session_key: could not fetch trust account password
> > >> for domain 'ADVOCAP'
> > >> [2010/08/26 14:20:26,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
> > >>    net_rpc_join_ok: failed to get schannel session key from server
> > >> FONDY for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > >> Join to domain 'ADVOCAP' is not valid:
> > >> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> > >>
> > >> Can not join domain:
> > >>   net join -U administrator
> > >> Enter administrator's password:
> > >> [2010/08/26 14:25:48,  0]
> > >> utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust
> > >> account password: NT_STATUS_ACCESS_DENIED
> > >>
> > >> tdbdump secrets.tdb
> > >> does not show any entry for the server
> > >>
> > >> Looked at one of the old  servers secrets.tdb
> > >> and it did not have and entry for that server either.
> > >>
> > >> Any suggestions on the best way to fix this?
> > >>
> > >> John

More information about the samba mailing list